-
Notifications
You must be signed in to change notification settings - Fork 57
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Long Animation Frame API (LoAF) #911
Comments
Hi @noamr, thank you for proposing this idea and running it through TAG early on. Helping authors remove as much "sluggishness" as possible is always great to see. Given the deep level of browser integration I am curious to hear your thoughts on having this interoperable across UAs. If I read the proposal correctly, you're proposing lots of lower-level details to be exposed - stages of the rendering pipeline, threading model of the browser, and additional data that might help in correlating all of this into a user action, i.e. they triggered style recalc due to In order to make such feature robust I am assuming you envision the ability to construct call graphs. If so, how do you envision event trigger correlation - e.g. Reading the S&P statements in the document and those in the template there seem to be some inconsistencies. For example, in the explainer you say
while the S&P doc says
To me this reads as a bit of contradiction, i.e. a top-level document (an iframe) can receive a cross-origin information from another document in its tree. Further, this information is to be exposed to all windows of the UA making it more of a global exposure. I'm probably misreading your points and if not, can you help me alleviate this concern? |
Thanks for taking a look!
We have discussed some of this with other browser vendors, and the conversation goes on.
We don't expose things to that level - only the total forced style and layout time of a whole script runtime. Still, we'll have to work out interoperability and I see this particular attribute as optional in the spec.
What those lines mean, and I will clarify in the spec, is that the timing itself exposes cross-origin same-agent by design even without this API. You can add timeouts and rAFs to a page, and see if you get delays which are likely due to other same-agent pages doing janky stuff. The API doesn't expose anything other than those delays, and you don't get visibility as to whether they're from other same-agent documents or from general browser slowness or what not. Where we send the info to is to frames that participate in the LoAF in one of the following ways:
We never send script or blocking-duration information to cross-origin frames, only delays that they could otherwise sample themselves. |
Hi @noamr, thanks for the additional context.
I can't tell how supported the feature by other browser vendors is by this statement. Can you please elaborate or point me to observable discussions?
I am concerned that LoAF is attempting to expose something observable today, and make it easier to obtain, cross-origin and cross-frame without justifying if it is good for users or not. In particular, this type of exposure appears as ancillary user data - is it? Couple of additional points:
|
Of course! Minutes of the discussion at TPAC: https://w3c.github.io/web-performance/meetings/2023/2023-09-TPAC/index.html Search LoAF.
The data observed in LoAF is how long rendering in your own origin was delayed. I think it follows the principles in https://w3ctag.github.io/privacy-principles/#information: "New APIs which add new ways of getting information must be guarded at least as strongly as the existing ways". This holds here. Information about how much rendering was delayed is not currently guarded in any way (and cannot be guarded, except by means of process isolation).
Waiting for them to respond to the standards position open issues.
Not only "long running animation", but also "slow responsiveness". |
To demonstrate how this doesn't expose new ancillary data, consider the following. const before = performance.now();
setTimeout(() => {
const delay = performance.now() - before;
}, 0); Same with a To do that with LoAF, you'd have to register an observer, and make sure that the delay surmounts to more than 50ms. This makes LoAF a very blunt instrument to measure things that can be measured in a sharp way today... |
@plinss and I looked at this today and it seems broadly acceptable. We observe that the spec claims that thresholding durations is an effective mitigation strategy for timing attacks. We also noted the monekypatch of WebIDL, hopefully you're talking to the WebIDL folks to get those changes folded in and will be removing the monkeypatch. See our guidance in this area. |
Thanks for the review! Indeed the remaining WebIDL monkey patches are in process of being upstreamed (see whatwg/webidl#1400). I will take your comments into account and make the S&P section of the spec more accurate to those points. |
こんにちは TAG-さん!
I'm requesting a TAG review of Long Animation Frame API.
LoAF an API that lets a webpage measure long periods of time where the main thread was busy/congested, resulting in
sluggishness. It also adds information that helps understand what caused that busy period and act on it.
Further details:
We'd prefer the TAG provide feedback as (please delete all but the desired option):
💬 leave review feedback as a comment in this issue and @-notify @noamr
The text was updated successfully, but these errors were encountered: